WPF Comments to OMB regarding AI and Privacy Impact Assessments

Download comments (PDF, 18 pages)

The World Privacy Forum has filed detailed comments to the U.S. Office of Management and Budget (OMB) in response to its Request for Information on Privacy Impact Assessments. Specifically, OMB requested information about how the U.S. Federal government should update or adjust its requirements for Privacy Impact Assessments (PIAs) in regards to changes to data ecosystems brought about by Artificial Intelligence (AI).

WPF had substantive recommendations, including:

    • WPF recommended that existing administrative requirements under the Privacy Act of 1974 could be updated to expressly include the use of AI as a new category of sources of information in a Privacy Act System of Records, address data broker issues, and also address computer matching activities.
    • WPF also recommended that Federal agency Privacy Officers and AI Officers should identify overlaps between PIAs and AI Impact Assessments so that a « silo effect » between the two distinct assessments can be avoided. Technical, legal, and procedural adjustments from both PIAs and AI Impact Assessments at agencies will need to function cooperatively in an ongoing impact assessment process.
    • WPF urged OMB to understand how the changes AI is bringing to ecosystems demands automated assessments of privacy and other aspects of trustworthy AI in a continual, ongoing assessment process. The comments used the example of the U.S. FDA’s new work on how to monitor data drift in its AI models. WPF urged OMB to address the emergence of automated tools that assess privacy and trustworthy AI at scale, and specifically address how to capture the automation of the implementation layer of AI systems in the AI Impact Assessment process. This would include requiring documentation and validation of AI governance tools used to perform checks on privacy and other aspects of trustworthy AI systems in use at federal agencies.
    • WPF recommended several solutions around data, including installing protections regarding the uses of commercially available information by U.S. federal agencies. The recommendations include work regarding consensual collection, ensuring verifiably accurate and independently tested data, and means for individuals to be given protections and redress against adverse impacts arising from inaccurate, out of date, or discriminatory data.
    • WPF also urged OMB to specifically work with indigenous stakeholders and incorporate U.S. indigenous views in its privacy work, including indigenous views regarding collective forms of privacy and work through the issues of how collective privacy interacts with AI systems.
    • And finally, WPF had multiple recommendations regarding how to establish nimble processes for PIA and AI guidance and ensure that AI expertise is joined with legal, privacy, governance, and human rights skills and knowledge.

New forms of automation of privacy assessment and trustworthy AI assessment at scale is still nascent, and will require adjustments in training and processes. WPF closed its comments with a final recommendation regarding this set of issues:

« AI expertise needs to be joined with legal, privacy, governance, and human rights skills and knowledge. Otherwise, there could be meaningful cultural differences as experts learn to adapt to new forms of AI while complying with legal structures and governance requirements pre-dating advanced AI. If this combined skill set is not contained in one person, then perhaps it can be brought together in a cooperative team. This kind of socio-technical-legal plus AI skillset will be indispensable at OMB and will be essential in working through the challenging intersections of AI, privacy, and the need for effective identification of and mitigations for problems. AI cannot be ignored, but neither can the Privacy Act. Both are important. There will need to be a careful and respectful navigation of the interests and tradeoffs made in this negotiation between legal and AI ecosystems. «


Comments of the World Privacy Forum to the Office of Management and Budget regarding Request for Information on Privacy Impact Assessments (PDF, 18 pages)

Related Documents:

Report: Risky Analysis: Assessing and Improving AI Governance Tools, World Privacy Forum, December 2023.